SUN MICROSYSTEMS SECURITY BULLETIN: #00102
This information is only to be used for the purpose of alerting
customers to problems. Any other use or re-broadcast of this
information without the express written consent of Sun Microsystems
shall be prohibited.
Sun expressly disclaims all liability for any misuse of this information
by any third party.
---------------------------------------------------------------------------
These patches are available through your local Sun answer centers
worldwide. As well as through anonymous ftp to ftp.uu.net in the
~ftp/sun-dist directory.
Please refer to the BugID and PatchID when requesting patches from Sun
answer centers.
NO README information will be posted in the patch on UUNET. Please refer
the the information below for patch installation instructions.
-------------------------------------------------------------------------
Sun Bug ID : 1040465 1044204 1040334 1047131 1049585
Synopsis : rpc.pwdauthd can be used to gain remote system knowledge
Sun Patch ID : 100201-01
Available for: sun3, sun4 SunOS 4.1, SunOS 4.1_PSR_A, SunOS 4.1.1
Checksum of compressed tarfile on uunet: 100201-01.tar.Z = 07797 118
--------------------------------------------------------------------------
README information follows:
Patch-ID# 100201-01
Keywords: login rpc.yppasswdd rpc.pwdauthd
Synopsis: SunOS 4.1, SunOS 4.1_PSR_A 4.1.1: c2 jumbo patch
Date: 15/Jan/91
SunOS release: 4.1 4.1_PSR_A 4.1.1
Unbundled Product:
Unbundled Release:
Topic:
BugID'd fixed for this patch: 1040465 1044204 1040334 1047131
1049585
Architectures for which this patch is available: sun3(x), sun4(c,490,390)
Patches which may conflict with this patch: 100138-02 This patch obsoletes
patch 100138-02
Obsoleted by: Sys_V_Rel4
Problem Description:
This patch contains the bug fixes to four bugs that were reported
in relation to C2 security.
login contains the bug fix related to password aging.
The bug is due to the fact that the utility in libc that is used
to read and parse passwd.adjunct does not parse the age field
correctly. It always returns an empty field. login uses
this utility to get the age field and does nothing with it.
Therefore password aging is disabled. passwd does not have
this problem because it reads and parses passwd.adjunct itself
and uses the actual age field.
rpc.pwdauthd contains the bug fix related to not being able to
disable remote use of the daemon. It also allows the daemon to
generate audit records using its own pseudo-user.
rpc.yppasswdd contains the fix for the daemon mysteriously dying.
It also allows the daemon to generate audit records using it's
own pseudo-user.
Modified binaries:
/bin/login
/usr/etc/rpc.pwdauthd
/usr/etc/rpc.yppasswdd
INSTALL:
=============================================================================
= IF NIS is being run the new binaries need to be installed on all machines =
= in the domain. Additionally yppasswdd needs to be started in /etc/rc.local=
= edit /etc/rc.local and add in the following lines after the ypbind =
= startup statements: =
#This starts yppasswd daemon and tells it to look for the passwd.adjunct file
rpc.yppasswdd /etc/passwd /etc/security/passwd.adjunct -m
=============================================================================
Generically for all systems:
***************************************************************************
* The following pseudo-users must be added to /etc/passwd and *
* /etc/security/passwd.adjunct before changing any binaries *
* This is so the auditing of the rpc.pwdauthd and rpc.yppasswd can occur *
* *
* /etc/passwd additions: *
* *
AUpwdauthd:##AUpwdauthd:10:10:::
AUyppasswdd:##AUyppasswdd:11:10:::
* *
* *
*/etc/security/passwd.adjunct additions: *
* *
AUpwdauthd:*:::::
AUyppasswdd:*:::::
* *
***************************************************************************
As root:
First save the FCS distribution versions as a precaution:
# cp /bin/login /bin/login.orig
# cp /usr/etc/rpc.pwdauthd /usr/etc/rpc.pwdauthd.orig
# cp /usr/etc/rpc.yppasswdd /usr/etc/rpc.yppasswdd.orig
It is critical that the following steps be completed in single-user
mode, so that the rpc.pwdauthd and rpc.yppasswd daemons are both
disabled while the new versions are installed.
# shutdown now
The new version of the binaries can now be installed. The 4.1 and 4.1.1
versions are identical except for the library version they are expecting
to dynamically link to.
Substitute either sun3 or sun4 for {arch} and either 4.1 or 4.1.1 for {OS rev}
# cp {arch}/{OS rev}/login /bin/login
# chown root /bin/login
# chmod 4755 /bin/login
# chgrp staff /bin/login
# cp {arch}/{OS rev}/rpc.pwdauthd /usr/etc/rpc.pwdauthd
# chown root /usr/etc/rpc.pwdauthd
# chgrp staff /usr/etc/rpc.pwdauthd
# chmod 755 /usr/etc/rpc.pwdauthd
# cp {arch}/{OS rev}/rpc.yppasswdd /usr/etc/rpc.yppasswdd
# chown root /usr/etc/rpc.yppasswdd
# chgrp staff /usr/etc/rpc.yppasswdd
# chmod 755 /usr/etc/rpc.yppasswdd
Double check permissions of the new files.
If the permissions are set wrong, or the wrong architecture type is installed,
login will not be able to occur except in single user mode
(boot -s)
Note the example below does not show the size of the binary as the sun3 and sun4
versions are different size.
Doing a "file /bin/login" should tell you that it is a:
mc68020 demand paged dynamically linked executable not stripped
on a sun3, and a :
sparc demand paged set-uid executable not stripped
on a sun4
# ls -lg /bin/login
-rwsr-xr-x 1 root staff
# ls -lg /usr/etc/rpc/rpc.pwdauthd
-rwxr-xr-x 1 root staff
# ls -lg /usr/etc/rpc.yppasswdd
-rwxr-xr-x 1 root staff
Now you can either give a ^D (control D) from single user
mode or reboot the machine. This finishes the installation.
Brad Powell
Sun Microsystems
Software Security Coordinator.